Does anyone know where the vulnerabilities are in Apple's APN push notification services?
We can ensure that our notifications are sent securely to Apple, so we just need to know whether they can be intercepted from that point?
Motivation: We have built an iOS messaging app that we are making as a 100% secure solution, with some features that have never been exploited before in security.
Apple released the UNNotificationServiceExtension last year, allowing developers to send fully-encrypted notification payloads through APNS and then let the app on the end-user's device itself do the decryption (or load any additional supporting data) before displaying the notification:
The UNNotificationServiceExtension class provides the entry point for a Notification Service app extension, which lets you customize the content of a remote notification before it is delivered to the user. A Notification Service app extension does not present any UI of its own. Instead, it is launched on demand when a notification of the appropriate type is delivered to the user’s device. You use this extension to modify the notification’s content or download content related to the extension. For example, you could use the extension to decrypt an encrypted data block or to download images associated with the notification.
My team is investigating this further as a means to send useful notifications in a fully HIPAA-compliant manner, with no ability for Apple to see the plaintext of the notification. We're optimistic.
Have a look at this article:
The connection between the device itself and the push cloud service is of course secured over a TLS channel.
...
But what about the actual text and other meta data that is sent with the push message from the app cloud service to the app installed on a device. How it is secured? The thing here is that it is always secured in transport as described above but the message itself is in clear text between these transports.
And it is here the problem with users privacy comes in. All push cloud services have every push message, that is sent through their systems, in clear text.
That is they have the ability to analyze, look at, share/sell the data. And they have the risk of getting compromised and loose the data to cyber criminals.
So in general, if you want to be on the safe side, don't send any sensitive data with push notifications. Instead, just use push notifications as a syncing mechanism, so to tell the app that there is new data that needs to be fetched in a secure way that you can control.
Short answer: You should not include sensitive data into the notifications payload.
More detail: Even though APNs enforces end-to-end, cryptographic validation and authentication using two levels of trust, per Apple documentation, you should not include sensitive data in the payload
Because the delivery of remote notifications is not guaranteed, never include sensitive data or data that can be retrieved by other means in your payload. Instead, use notifications to alert the user to new information or as a signal that your app has data waiting for it.
For example, an email app could use remote notifications to badge the app’s icon or to alert the user that new email is available in a specific account, as opposed to sending the contents of email messages directly. Upon receiving the notification, the app should open a direct connection to your email server to retrieve the email messages.
